netsh wlan add profile not importing encrypted passphrase

I exported a wireless network connection profile from a Windows 7 machine correctly connected to a WiFi network with a WPA-TKIP passphrase. The exported xml file shows the correct settings and a keyMaterial node which I can only guess is the encrypted passphrase.

When I take the xml to another Windows 7 computer and import it using netsh wlan add profile filename="WiFi.xml", it correctly adds the profile's SSID and encryption type, but a balloon pops up saying that I need to enter the passphrase.

Is there a way to import the passphrase along with all other settings or am I missing something about adding profiles?

Here is the exported xml with personal information removed:

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>[removed]</name>
    <SSIDConfig>
        <SSID>
            <hex>[removed]</hex>
            <name>[removed]</name>
        </SSID>
        <nonBroadcast>false</nonBroadcast>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <autoSwitch>false</autoSwitch>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPAPSK</authentication>
                <encryption>TKIP</encryption>
                <useOneX>false</useOneX>
            </authEncryption>
            <sharedKey>
                <keyType>passPhrase</keyType>
                <protected>true</protected>
                <keyMaterial>[removed]</keyMaterial>
            </sharedKey>
        </security>
    </MSM>
</WLANProfile>

Any help or advice is appreciated. Thanks.

Update: It seems if I export the settings using key=clear, the passphrase is stored in the file unprotected and I can import the file on another computer without issue. I've updated my question to reflect my findings.

matpie

Posted 2010-04-20T20:21:04.020

Reputation: 1 560

1Since no answer has been marked as correct, I typed up the answer you gave in your question. – Jason R. Coombs – 2011-03-02T22:12:55.887

Answers

Just use the key=clear parameter when exporting the profiles.

netsh wlan export profile key=clear

Now the passphrase/key will be stored in the XML file(s) in the clear. When you import the profile (as above), you will not be prompted for a passphrase.

Jason R. Coombs

Posted 2010-04-20T20:21:04.020

Reputation: 1 952

1When running the netsh wlan export profile key=clear command, you must be running the command prompt as administrator. Otherwise, it will not give you an error but will simply ignore the key=clear argument. To run as administrator, go to Start -> All Programs -> Accessories and right click on Command Prompt, choosing "Run as Administrator." – HaroldFinch – 2016-07-23T19:37:22.220

The problem is that the encrypted password was encrypted with a machine-specific key on the machine you exported the config from. You could import that xml file back into the same machine and it would work just fine. But it won't work on a different machine because the 2nd machine doesn't have the same machine-specific key and can't decrypt the password.

I'm not exactly sure what netsh uses as the machine-specific key or whether its possible to clone it from one system to another.

Ryan Bolger

Posted 2010-04-20T20:21:04.020

Reputation: 3 351

Thanks Ryan, that would explain why it worked on my test machine. I'd have to store the password unencrypted anyway then since we sysprep our machines before imaging which wipes out all unique identifiers. – matpie – 2011-03-03T19:22:51.917

Hey Ryan, someone plagurized you

– Canadian Luke – 2013-08-16T15:57:51.477

Ryan is right in that the key has a machine-specific encryption. Here's a solution:

Open your XML file and locate the following line: <protected>true</protected>
Change it to: <protected>false</protected>
Under you will see encrypted line: <keyMaterial>01000000D08C9DDF0115D1118</keyMaterial>
Change it to your key in plain text: <keyMaterial>Yourkey</keyMaterial>

Note: It means that your wireless key will be in clear text and everyone who has access to the file will be able to read your wireless key. But it works!

Tu Pham

Posted 2010-04-20T20:21:04.020

Reputation: 31

While this will work, it's much easier to export the cleartext version from the beginning using @Jason's answer. Thanks for the answer though! – matpie – 2012-01-11T00:20:45.060

I have succesfully used the Wireless LAN API on my Windows XP machines, hope it helps you too (havent tested on Win7)

EDIT:

I know its weird that its written by a Symantec guy, but what can you do :)

Mads Troelsen

Posted 2010-04-20T20:21:04.020

Reputation: 1